Data Protection Changes – Heads up!
The General Data Protection Regulation (GDPR) is the new governing legislation for collecting and processing personal data in the EU. It comes into effect on 25 May 2018 for all EU member states and the Government has stated that it will be applied in the UK as it will still be a member of the EU at that time. It will replace the Data Protection Directive which is currently in place in the UK.
The new GDPR necessitates that personal data is processed in accordance to a lot of the same principles as the current Data Protection Act 1998. However, there are new requirements that employers should really take note of.
What you need to be aware of:
- Consent from individuals to the processing of their personal data must be unambiguous and given by means of a clear confirmation action. This is in addition to the current requirement that consent must be freely given, specific and informed.
- If consent is given through a written declaration, the request for consent must be clearly distinguishable from other matters and easy to understand. Consent will not be freely given if a contract is conditional on obtaining consent that is not necessary for the contract to be performed.
- The deadline for subject access requests has been reduced from 40 days to one month and data controllers will no longer have the right to demand a £10 fee from applicants.
- Data controllers must notify the ICO within 72 hours if personal data has been lost, destroyed or accessed without authority.
- For the first time data processors (and not just data controllers) will have obligations under the GDPR. Agreements with data processors will need to be more detailed.
- Currently the maximum fine which can be imposed by the ICO is £500,000. This will increase significantly under the GDPR. The maximum fine available for a serious breach of the GDPR will be 4% of worldwide turnover or €20 million, whichever is higher.
- Employers will need to carry out audits of the employee personal data they collect and process to ensure that it meets GDPR conditions for employment consent.
For employers, the new requirements mean that generic consents (for example, those contained in the body of an employment contract) will not be a valid legal basis to justify processing employee personal data.
Employers will need to make sure that they have a valid justification for collecting employee personal data.
Regulators will have the ability to impose a wide range of sanctions, including specific compliance orders and a ban on processing personal data. Additionally, organisations that breach the GDPR may be subject to private claims for compensation by individuals or legal bodies on behalf of individuals.
It is not yet known how the UK’s data protection regime will operate after the UK exits the EU. However, it is recommended that employers prepare for the changes for a number of reasons.
Even after the UK exits from the EU, the GDPR will continue to apply directly to:
- Organisations established in the EU (for example international organisations with an EU presence); and
- Organisations established outside of the EU, but that process personal data of individuals in the EU in relation to offering goods or services, or monitoring the behaviour of individuals in the EU.
- It is also likely that after the UK leaves the EU, the UK will seek to maintain the level of protection of personal data. This would involve either continuing to apply the GDPR, or implementing data protection legislation with an equivalent level of protection to that of the GDPR.